What is SAP GRC? — Access & Process Control

SAP GRC access control and process control are automated tools to manage an internal security model, remediate compliance issues, and monitor potential business risks within an SAP system. When users have too much access in a system, they can damage the company and break compliance both by intentional misuse (e.g. using privileges to steal money or goods) and accidental misuse (e.g. by making a mistake in accounting or bypassing a quality control safeguard). By logging access, transactions and other information, GRC Software addresses compliance, quality, fraud and other internal security issues.

SAP GRC access control focuses on what users can do, while SAP GRC process control focuses on what users are doing. For example, if the system allowed managers to review workers’ medical records, SAP GRC access control would detect the potential for a HIPAA violation and create an alert. If someone were actually looking through the company’s medical records improperly, process control would alert monitors.

Expert Insight: Scott Goolik, VP of Compliance and Security

Access Control and Process Control are analogous to different types of security in a bank. SAP GRC access control is like locked doors, guards and alarms — it controls who can enter and exit sensitive areas, and sounds the alarm if someone enters a room they shouldn’t. An SAP GRC Access Control tool like the ControlPanelGRC® Access Control Suite is the first step in a GRC program, allowing companies to modernize role management, Segregation of Duties (SoD), auditing and other basic compliance tasks.

SAP GRC Process Control is similar to drawer counts, reconciliation checks and identity and credit verification. It examines processes looking for signs of fraud or theft.

SAP GRC process control is particularly useful for companies with routine audit problems that aren’t solved by access control. This can include organizations with remediation plans based on past breaches or compliance violations, companies in tightly regulated industries or those with complex structures which makes auditing difficult. A solution like ControlPanelGRC Process Control Suite can also be useful for companies with mature GRC programs, looking for a way to further reduce risk.

What follows is a comprehensive guide to Symmetry’s top SAP GRC insights that IT leaders need to know. These links allow you to jump to specific sections:

Why are SAP GRC Access and Process Control Important?

Compliance requirements like Sarbanes-Oxley (SOX) as well as industry-specific rules like 21 CFR Part 11, mandate controls to detect, mitigate and prevent misconduct. These rules are backed up by auditing and hefty noncompliance penalties, but leave many of the details of implementation up to companies.

Traditionally, companies would manually review internal records to meet regulatory compliance goals. They would compile data into audit reports, which could also be used to detect fraud, design remediation efforts and perform other compliance activities.

Unfortunately, this technique is time-consuming and inefficient; it can take hundreds of hours to compile company access logs, create, authenticate and review reports. Manual reporting also leads to data entry errors, which can cause false positives. And by the time the information is reviewed, it’s usually at least a few months old.

This increases risks by delaying remediation. It also makes change control difficult to impossible, since there’s no practical way to check user access changes for Segregation of Duties (SoD) risks against current data. Additionally, these reports typically only sample access data, since it’s impractical to check everything by hand. Both internal fraud and external intrusions can slip by, making document-centric remediation a poor tool for both security and compliance.

Remediation efforts also tend to fail without SAP GRC access control and process control. It’s very difficult to streamline the security model and see all the possible consequences of changing a user’s role, for example. As a result, companies often end up introducing new compliance issues, building excessively complex roles that further burden SAP GRC efforts, or both.

SAP GRC access control and process control solve these problems by automating most of the work that goes into creating audit reports, as well as detecting and remediating internal compliance issues. Output is generated directly from change logs, eliminating errors and allowing a complete review of access and business processes.

The software also centralizes controls and evaluates changes before they are implemented, allowing users to remediate easily and prevent unintended consequences. Change control can also be automated, instantly detecting issues that could otherwise sit in the system for years, unnoticed.

What is SAP GRC Access Control?

Within the SAP environment, users are assigned roles, which give them particular privileges to access particular data and perform particular actions. SAP GRC access control governs these roles, handling both routine access within the system, and special permissions such as emergency access.

SoD is a key part of access control. Compliance regimes like Sarbanes-Oxley prohibit users from having certain combinations of privileges which can lead to fraud. For example, if a user is able to create and pay vendors, the user could use that ability to funnel money to collaborators, or simply steal money and hide their tracks through fake vendors. Therefore, businesses need to organize roles so that different users are responsible for entering vendors and payments.

Other types of access pose inherent security and compliance risks. For example, the ability to access credit card data or reconfigure the system could allow a user to do harm to a company, through theft, sabotage and negligence.

SAP GRC access control guards against both kinds of risks by controlling what users can do and recording what they are doing. Within ControlPanelGRC, the Risk Analyzer holds segregation of duties rules, organized in a user-friendly fashion. It examines what users can do, and automatically executes what-if analysis to determine potential compliance issues. The module generates reports and notifications, allowing managers to remediate compliance issues as they’re detected.

Risk analysis is integrated with the User and Role Management module, which ensures change management and ongoing compliance. If a user takes on a new job or moves to a different department, they need to be assigned a new role, but this can cause SoD issues if not handled properly. User and Role Management analyzes the request for potential problems before assigning it. It also automates the workflow, ensuring that risks are examined, and roles are assigned and signed off on by the proper parties.

In an emergency, an SAP BASIS administrator or other user might need an extraordinary amount of access in the system to fix a critical error or other issue. Within SAP GRC access control, the Emergency Access Manager handles this access, minimizing its potential risks. Users can create pre-approved authorizations to assign emergency privileges. During the emergency, everything the user does is tracked for audit purposes. Users must also indicate why they requested emergency access and what they did, providing detailed descriptions which are then routed to managers automatically for review.

HR data is a special challenge for SAP GRC access control. it must be kept accurate and up to date, but it also contains sensitive information which requires tightly restricted access. Many SAP GRC access control modules handle SoD, but don’t place extra safeguards on this data.

ControlPanelGRC takes a more secure approach with the HR Analyzer™. This tool logs access and screen views of secure data, and notifies executives immediately of any indication that HR records have been improperly accessed or viewed. Data is automatically scrambled outside of production, ensuring it can’t be compromised by system testing and other non-HR uses.

HR Analyzer also synchronizes HR changes like hiring, terminations, job reassignments and pay raises with user provisioning processes handled elsewhere in SAP GRC. This ensures HR accuracy and cuts down on the time it takes to change employee status.

What is SAP GRC Process Control?

If your audits require you to spend a lot of time recreating transactions or proving that something bad didn’t happen, a tool like the ControlPanelGRC Process Control Suite can be a huge help. Instead of focusing on user roles and privileges, SAP GRC process control focuses on the business processes themselves, monitoring them to ensure they’re handled correctly.

Process control gives businesses a second chance to catch problems that they may have missed in SAP GRC access control. For example, SAP has a configuration flag that allows you to prohibit duplicate invoices from being paid. However, if that duplicate check has been disabled or wasn’t configured properly in the first place, SAP process control would detect it, using the transactional checks — that is, by inspecting the actual business transactions that occurred.

The ControlPanelGRC Process Analyzer for Procure to Pay can spot users making payments to vendors who haven’t been approved, or paying a duplicate invoice that may indicate fraud. Another module monitors Order to Cash transactions, allowing you to spot improper changes to customer credit limits, or excessive (and potentially fraudulent) returns. Both modules look for exceptions to business rules. If an issue is detected, key personnel are notified in real time, and the system provides tools for quick remediation.

The Enterprise Risk Management (ERM) module enhances documentation, testing and execution of controls. It helps companies ensure their controls are configured and functioning properly, and aligned with compliance requirements. This makes it particularly useful for stringent compliance regimes, such as HIPAA, SOX and 21 CFR Part 11.

The AutoAuditor™ eliminates the stress and delays of compiling audits across your SAP GRC environment. It syncs with other ControlPanelGRC modules, and schedules and pushes audits to the right users. This automates execution, delivery and validation ensuring your organization doesn’t miss an important deadline or step.

What is SAP GRC — Other Tools

Although SAP GRC access control and process control are the most important tools, certain vendor-specific products can support other areas of the GRC process. ControlPanelGRC offers a Security Acceleration Suitethat automates many routine tasks in SAP security administration. For example, its User and Role Change Analyzer helps admins analyze and compare multiple role versions, document changes, alter multiple roles at once and analyze and remediate inadvertent problems with role changes. By automating these tasks, admins can save time and understand security changes better, reducing risk and cost.

ControlPanelGRC also offers a Basis Control Suite to help manage routine SAP Basis tasks, such as transports and batch jobs — something no other GRC software vendor currently offers. For companies without outside Basis support, this reduces the amount of time and work involved in day-to-day SAP Basis administration, reducing the burden on internal IT.

It also reduces the security risks posed by the slow or lax administration common among overtaxed internal teams. Many of the most dangerous SAP vulnerabilities prey on companies whose IT departments don’t have time to perform routine patching and maintenance promptly. By automating these tasks, the Basis Control Suite virtually eliminates the most frequently exploited cyber security vulnerabilities.

Should I Outsource SAP GRC Administration?

Like anything else in IT managed services, it depends on the vendor and on your internal resources. If you have SAP GRC access control software that produces incomprehensible output, the problem probably isn’t your compliance team — it’s the software or the vendor support; if your software doesn’t provide high level overviews for executives, clear technical data for administration and multi-level access for compliance teams, switch to a product that does.

But in many cases, outsourcing SAP GRC access control and process control can save money and improve your compliance program. The right IT managed services provider can ensure your software is setup and configured properly, free your internal staff to work on more strategic projects, and provide an invaluable outside observer to prevent issues like fraud and poor change management.

Symmetry’s Security Complete PlusGRC provides total security and compliance services, taking the stress out of protecting business assets. Our highly-trained consultants are experts in SAP administration, security and compliance, providing a level of protection very few organizations could afford to hire internally. Services include 24x7x365 user administration and compliance monitoring, and comprehensive reporting across all levels of your organization.

Because we offer a complete range of SAP services, we can provide as much or as little IT infrastructure support as you need. Whether you’re looking for a partner to configure, host and manage your entire SAP environment, or just some help setting up your SAP GRC program, Symmetry is the ideal managed services partner.

Solving SAP GRC Access Control with ControlPanelGRC

With ever changing governance, risk and compliance (GRC) functions, having manual processes and documents to control your SAP environment only prevent your business from growing and being agile, efficient, and resourceful. Automating your GRC access control can also prove challenging due to the complexity and need for an integrated end-to-end approach.

Stream Symmetry’s SAP Governance, Risk and Compliance playlist for more information and insights in an easy to watch video format.

Automating Emergency Access Management

Emergency Access Management (EAM) proves complex in its potential Segregation of Duties (SoD) conflicts and audit issues. With the variety of access scenarios and SAP GRC Firefighter IDs to maintain and manage, having an automated EAM process helps avoid opportunity for human error, while allowing SAP Security and Basis resources to prioritize more valuable business initiatives.

Ultimately, ControlPanelGRC’s EAM module eliminates manual security procedures, reduces the overall time and cost of audit preparation, and helps businesses have the security and agility to be prepared for any SAP emergency scenario.

SAP GRC Mitigating Controls Automated with ControlPanelGRC

Managing SAP GRC mitigating controls can be a manual and time consuming process that lacks systematic analysis, real-time alerts of compliance violations, and consistent compliance reporting. All of these limitations affect an organization’s ability to keep track of potential incidents and thus increases overall risk.

An automated solution for GRC mitigating controls like ControlPanelGRC Risk Analyzer is key to reducing Segregation of Duties (SoD) conflicts, identifying conflicts in real-time, and solving issues with reports that contain all necessary information.

Some processes involved may be internal or external regulatory in nature, such as SOX and HIPAA, meaning rulesets must meet requirements of both internal and external auditors. Creating excess rulesets may also occur due to the need for custom and accurate reflection of each business process’ risk impact and likelihood.

ControlPanelGRC Risk Analyzer can help simply the GRC ruleset process with its rulebooks that can be easily leveraged to customize rulesets for different business process and auditor requirements, as well as its ability to define risks by authorization and transaction level.

Organizations face a variety of information access risks due to stakeholders’ potential need to obtain sensitive information like invoices, HR records, and financial reports. Manually managing all of the policies and procedures put in place to avoid fraud can thus be time consuming and overlook errors.

That’s why implementing GRC software can help your company simplify compliance and risk analysis by automatically and continually monitoring data and reporting. This will also keep your company ready for ever increasing audit requirements.

The technical SAP skills, compliance knowledge, and business insight required to implement GRC mitigation controls, while also regularly monitoring security and controls, requires a dedicated SAP admin team that midmarket companies often lack. Without proper automation tools, risk mitigation proves time consuming. Midmarket focus on keeping IT investments and resources over time also results in an ad-hoc IT strategy, which makes improving SAP GRC more complex.

Automation tools and security consultants provided by ControlPanelGRC can help solve common midmarket risk management issues with its real-time risk detection, continuous monitoring, and centralized controls.

Key Considerations for SAP GRC SOX Compliance

Segregation of Duties (SoD) controls prevent users from getting several, incompatible roles that could increase risk of fraud. Having automated SAP GRC compliance monitoring can also help indicate signs of risk in real-time. Using a GRC solution like ControlPanelGRC can also help avoid using generic firefighter IDs in emergency access situations that poses compliance risks. Lastly, having automated SAP audit reporting helps easily prepare your company for internal and external audits.

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.